Re: [MERGE] Use libcap instead of direct linux capability syscalls

Thu, 15 Oct 2009 17:04:43 -0700 

fre 2009-10-16 klockan 11:03 +1300 skrev Amos Jeffries:

> /* NP: keep these two if-endif separate. Non-Linux work perfectly well 

Sorry.. thought I had fixed that already..

> +#define PUSH_CAP(cap) cap_list[ncaps++] = (cap)
> 
> I can just see that converting to: 
> CAP_NET_ADMIN_ist[nCAP_NET_ADMINs++]=(CAP_NET_ADMIN) ...

Nope.. preprocessor is tokens based. But as this macro is farily simple
now it can just as well be expanded. I think the plan was to eventually
C++ encapsulate these details, but that's overkill here.

Updated patch attaced.

Regards
Henrik

# Bazaar merge directive format 2 (Bazaar 0.90)
# revision_id: [email protected]\
#   tjj24dnri2arionc
# target_branch: http://www.squid-cache.org/bzr/squid3/trunk/
# testament_sha1: e0544b31cc7e7f4f877a1b5939e6cfe26d60bc6f
# timestamp: 2009-10-16 01:58:06 +0200
# base_revision_id: [email protected]\
#   hhwys6416uxebd9y
# 
# Begin patch
=== modified file 'configure.in'
--- configure.in	2009-10-15 10:12:38 +0000
+++ configure.in	2009-10-15 14:28:22 +0000
@@ -2763,7 +2763,7 @@
   fi
 ],[AC_MSG_RESULT(yes)])
 if test "x$use_caps" = "xyes"; then
-  dnl Check for libcap1 breakage or libcap2 fixed (assume broken unless found working)
+  dnl Check for libcap1 header breakage or libcap2 fixed (assume broken unless found working)
   libcap_broken=1
   AC_CHECK_HEADERS(sys/capability.h)
   AC_CACHE_CHECK([for operational libcap2], $libcap_broken,
@@ -2773,6 +2773,7 @@
                    ]])],[libcap_broken=0],[])
   )
   AC_DEFINE_UNQUOTED([LIBCAP_BROKEN],$libcap_broken,[if libcap2 is available and not clashing with libc])
+  AC_CHECK_LIB(cap, cap_get_proc)
 fi
 
 AC_CHECK_TYPE(mtyp_t,AC_DEFINE(HAVE_MTYP_T,1,[mtyp_t is defined by the system headers]),,[#include <sys/types.h>

=== modified file 'src/tools.cc'
--- src/tools.cc	2009-08-28 01:44:26 +0000
+++ src/tools.cc	2009-10-15 23:57:26 +0000
@@ -1241,50 +1241,40 @@
 {
     /* NP: keep these two if-endif separate. Non-Linux work perfectly well without Linux syscap support. */
 #if defined(_SQUID_LINUX_)
-
 #if HAVE_SYS_CAPABILITY_H
-#ifndef _LINUX_CAPABILITY_VERSION_1
-#define _LINUX_CAPABILITY_VERSION_1 _LINUX_CAPABILITY_VERSION
-#endif
-    cap_user_header_t head = (cap_user_header_t) xcalloc(1, sizeof(*head));
-    cap_user_data_t cap = (cap_user_data_t) xcalloc(1, sizeof(*cap));
-
-    head->version = _LINUX_CAPABILITY_VERSION_1;
-
-    if (capget(head, cap) != 0) {
-        debugs(50, DBG_IMPORTANT, "Can't get current capabilities");
-    } else if (head->version != _LINUX_CAPABILITY_VERSION_1) {
-        debugs(50, DBG_IMPORTANT, "Invalid capability version " << head->version << " (expected " << _LINUX_CAPABILITY_VERSION_1 << ")");
+    cap_t caps;
+    if (keep)
+	caps = cap_get_proc();
+    else
+	caps = cap_init();
+    if (!caps) {
+	IpInterceptor.StopTransparency("Can't get current capabilities");
     } else {
-
-        head->pid = 0;
-
-        cap->inheritable = 0;
-        cap->effective = (1 << CAP_NET_BIND_SERVICE);
-
-        if (IpInterceptor.TransparentActive()) {
-            cap->effective |= (1 << CAP_NET_ADMIN);
+	int ncaps = 0;
+	int rc = 0;
+	cap_value_t cap_list[10];
+	cap_list[ncaps++] = CAP_NET_BIND_SERVICE;
+
+	if (IpInterceptor.TransparentActive()) {
+	    cap_list[ncaps++] = CAP_NET_ADMIN;
 #if LINUX_TPROXY2
-            cap->effective |= (1 << CAP_NET_BROADCAST);
+	    cap_list[ncaps++] = CAP_NET_BROADCAST;
 #endif
-        }
-
-        if (!keep)
-            cap->permitted &= cap->effective;
-
-        if (capset(head, cap) != 0) {
+	}
+
+	cap_clear_flag(caps, CAP_EFFECTIVE);
+	rc |= cap_set_flag(caps, CAP_EFFECTIVE, ncaps, cap_list, CAP_SET);
+	rc |= cap_set_flag(caps, CAP_PERMITTED, ncaps, cap_list, CAP_SET);
+
+        if (rc || cap_set_proc(caps) != 0) {
             IpInterceptor.StopTransparency("Error enabling needed capabilities.");
         }
+	cap_free(caps);
     }
-
-    xfree(head);
-    xfree(cap);
-
 #else
     IpInterceptor.StopTransparency("Missing needed capability support.");
 #endif /* HAVE_SYS_CAPABILITY_H */
-
-#endif /* !defined(_SQUID_LINUX_) */
+#endif /* _SQUID_LINUX_ */
 }
 
 void *

# Begin bundle
IyBCYXphYXIgcmV2aXNpb24gYnVuZGxlIHY0CiMKQlpoOTFBWSZTWeXFlV4ABjxfgEQwef///39v
/2q////+YAnPj1q+owJFAC6wnTU1lAAoAMkTQSeRPUzQnpPakeiaaPU00GgAaaBo0aAA4yZNGgNG
mIyNDEMCaNMQYjQYQAGHGTJo0Bo0xGRoYhgTRpiDEaDCAAwYlSPFBiNMnkmAhpiYgDRoMAmjJkMJ
gikRojRpqniPSaaTKbFMyMQ1PTJqNEeiD1NBtQP1BJIBNNNAhCek1MaNJpH6oGRmoyMTR6mT1Hpp
PCjhAcBA/KxRq1hVPG4pZm3lBsotwW7hoeBiSZwQhH0/L5PH/kbyD/uLuplZbxN2y1f8fZogkkyC
aYHcL90IFWcSSwYKsiE+LyjBhNwLMnJqM1M9XJ8pp0hqwfSU6dKQuYVSv7m9a9R6u/J5/hu0DwLV
RcnDIAkUnMqGQkxuEOu/zzGEwQUAhFxmfXGk80CefYwUo9wwYQBxOcXyfCzqxcymxgpzi5iJF2EY
0U55YbSigl3BGUOeSjOVXxhd+FvrRBZasfyxaKQCJ8BskUW8K+C2l+leb4cJr4W3P2YqIV4EazdE
8uc3g5hmBhATdqv1zKZMU1u7PYqz7dBuGAPCEUqgRrsCOo6uAXo6SLqriqnF9gpXSmR5HTRV9R1w
70c8uFh1Rvee+vka9RAroY78lh1wpyiWupjVyVseZEn8VOsFimsDmAQ1hiiWNDJGbAgPJC0F+0TW
++nIjzgwJ/15qUHGK6ew0DchuHpVdSHu9mKHqu83NkJSlKUv4q17+o3uk1RctUCnrgZzP+b7Ub71
2FjNUJ0h2QAF5c3CNaULW2I4LvEOCB8xIcq2PcVJxcMCDFKug1Du/vsWNz6cTBEauEVNh1mBmHMm
YYYO3O9mSAZa+6RU1TYyWMUtUySH5SnLC7cVStSSkIhyBu9ST0nlhIk5RGFV4ATUOJsgy0HOGZXP
wlmeSofgIdmlz3OJUYcXVs9Q3ebx1dB3KvBYINMVohBsXHkTj1YPEWWV0HMgIsIqVGXOJYNughwR
jSMIYkM7BklpBqgIDIQEg73UVzsQiQl5mWamYkbR/80KjSZ0KGx1nlNdDK4+jqwlBjBtULMRB8Tk
QOL1GUE8RQwQoSfDqLciwjIYXS7MmZGg8qT2JFGbZBkbGpMqhd3IgYs2W+ETLe6iyiyU9h0mgQWF
ipGyELCatJwTDKTScBYWExMlRonuWo1NQ2MjUuJ5Y8yRRxdiZdhuQp57FWM+JQjmVcubCRQ2cL0h
1rQFmQTGjmlUcRKmCgMTXF1pCpQeaESZYU3rW/UcChmeH4IHIPKI6UGPghmZ8GzSeYiNx6f8qCI4
6Tkb7zieSw/l0Yp5yIQYtYjPN1TUgsdgHmpYcdRuYlFllZw5os6cMChKHQQNliZYC6UFcNGuP6xk
iTBA5rURkZkVIcZhqYD0JroXh3EdINnhcbexjosnsWOlPETMyXxEMYkDBxLoqbFxiZiTLmBFRE6x
y6pGR0jihGMSuGOuzPUdBGbzOCSC5YjpsctiphUeYiHGpUvjjMRusiYMdvBYLQmyJLPAwtYk7lvE
K/lUdodcdvbJOPnHp8OCB52FBbKJl4UTbEhwuhkNwFgxQfKYh89gRSCQLEHofgvQ4M2tkNVGTNqc
FXjQ8TR+x4n6on6Gv/OVmBmGAZmPWTDrYCp/VmZmD7ChCKlpJ7wiuw992bG//TxWNvcGAsCRYkZG
MxXXtoe9d5/4YgnMXPGf75Y5BwP4dB7/PAIiZbKB1AQeezFnQSOC47DFaBuJlIY+J9cihvqZqAt5
fBcxc1eZkajQ5zOcafQOvyah5BoabzUeW1msEGzcYmPVgSeY6BJkicKQsmYdHyqavYQxAUmdx3HY
WC8I6gwMHKMxBwdaphjEMIeV3U+sIHBkPHWBrkhnh2WScXko7oPzUTZkwBMR4tK4eZGvJ7eEtch8
zfNhuIMpIg+5H5mAYjwmVn+bxu+cB96rqDYTf1ZkwfMoaHAuZEw4D1ufbHwJkek0S9Lmcmc67iP3
tMIYKviNxlLjR/LSTLXHGkn78qFzsPmQUt8PXScquYi6/GAc3v1Ow8B6DVA86iKCoGAjxGI9YnMg
TWABA8IXKHI+8yHGPv3JjzypehChMXMQAnvEHadfvuAOerKj4LAFCXRwxjKpdxuB7ZDR5IFBu6HB
cEtxad6MUxsEEi8Lm8fEe1QaeVi52DGHyHNJD3TkEPPZ1/jSnMa0PFwFWoONCACrQZjZvD+n2Zuc
H0rwbkNmsBLCUReo5VK2wb4eaQO5h1HiLIXjIG55zxkDuJh2Gfcku0iMgySyNY/4DpDoDSwcqHY0
mhjHqql8GNbSBDCdZht/04Di3+iXELf67btHf9X3nvSCoIJBEiCTHkq+D0vAobN9eUY4H3IcABWv
Z4R//r9rEQvKOVACAe60d/vHsUrcJZ685Hh9PS2NTxqOcc3txQ9CjiuMVNeBaFXUh3+AyCg+l+1O
oS6ar69fv04qaqKtnTgJ5ge3qRoDfZ50bn+jmWmjldA39bi11KBtEvu0rkovpeJzD7dzc32PSuX4
20aSKQE0HMsDH1CCpz0lKikTJUYLedVqQqGowYpvRk51WY2IAWZSycEP9SUkIgAgTKhw5tqEBdGQ
YUCbR2wK/FmMuQa4gG22Jo/RtVfrUBx1oXTxw0Qk4ZuBXMQu5CDheF2iYZFtBpnxv43K5RhzAGg6
XXty4Ibm6d1gw47WT3pFV6jQ/UebEoTEBsKnRZBuFuLKGt6W8N5gSYZjaMWyQAsHOhVu3nNfDfCr
kqB38LRyQNJIbKOnPSYPMPAh3M6nIMMWDT+269hYXIowFBMpUdsMQQZF1WLJrrU5RAulTJXFPKZJ
tsJIh1od7e5BsolCRD2ATdMmWhrdoFrbrzcQ1jtNg6zcQfTYXqZ0NVvwQnUIGWQ3QJmZD4ocHRp8
UONyxq7smavaOi/8XFHQJ8nz+ZHPptQ7vOo2oZDS6PFt5giliml877NM37hKmTUXdjoQuRvzJc3X
v7Q9X7i7kinChIcuLKrw

Reply via email to